Open standard for Single Sign-On (SSO) → Authentication

→ Security is decentralized and URL-based

→ Users can freely choose their identity and identity provider

It’s designed to solve:

• Siloed IDs (Account creation and password management)
• Layer on top of OAuth2.0

Decentralized SSO mechanism in which users choose their provider.

This provider can then specify what authentication protocol they wanna use.

OpenID is used by: Google, Microsoft, Amazon Web Service, Paypal, etc.

OpenID Connect Authentication

1. App wants permission from OAuth. OAuth requests that you specify a scope (what permission) you allow.
2. When you allow and specify “openid” as a scope, this tells OAuth that the app and you want to authenticate.
3. This request is sent to the identity provide, which then authenticates you.
4. If successful, the identity provider sends an access token to your app. This includes:
   • User ID
   • Approved Scopes
   • Expiration
   • Additional Information

An Example of this would be Swiss ID.

OpenID Connection Technologies

Relying Party (RP): OAuth2.0, is the service provider (app that wants to authenticate you)

OpenID Provider (OP): Is the Identity provider that the user has chosen (he is going to authenticate you for the app)

Process

The Relying Party (OAuth 2.0 Client) requests a signed ID Token from the OpenID Provider (OAuth 2.0 Authorization/Resource Server) to authenticate the user (OAuth 2.0 Resource Owner).

Specifications

• OpenID Connect 1.0 uses REST-based HTTPS API and JSON